In today's generation, every enterprise infrastructure backbone is Linux. Linux servers are most useful in SaaS applications, personal blogs, or enterprise infrastructure. But if you use Linux everywhere, there is some chance of an open invitation for malicious actors. These open ports are targeted by hackers, and they scan the internet continuously, and when they track an open port, they hack your Linux server.
To protect your data and infrastructure, you must be aware of that. Here is guidance on how to secure your Linux server against modern cyber threats and how to build your Linux server securely and powerfully.
Initial Setup
In every Linux server, the first step to keeping our system is up to date. When we update and upgrade our system, all our software is also up to date. So we use the below command to update and upgrade our system.
sudo apt update && sudo apt upgrade -y
For RHEL, CentOS or AlmaLinux use dnf instead of apt in the above command.
The second step is to create a non-root user with sudo privileges. If you log in with root and install something with root, then you indirectly invite hackers to hack your server system. So we create a dedicated user for administration.
adduser newuser usermod -aG sudo newuser
SSH Hardening
SSH is used to connect to your server. If this connection is weak, then your whole system becomes weak. For creating a strong environment, we have to create a strong connection method.
Here we make all changes in the SSH configuration file. To make changes, open /etc/ssh/sshd_config and change it as per the below instructions.
In /etc/ssh/sshd_config, first we change from port 22 to a non-standard port (e.g., Port 2244). This defends your system against thousands of automated script-kiddie attacks.
Then disable Root Login using PermitRootLogin no, and then disable password authentication. For that, change the above file like PasswordAuthentication no, and one more change is to limit user access. Here we give limited users permission to log in; for that, we change it like — if our username is newuser, then AllowUsers newuser.
Whenever we make changes to the above, always restart our SSH or SSHD service using the below command.
sudo systemctl restart sshd
Implement Two-Factor Authentication (2FA) for SSH
This is more important to implement when there are some errors in SSH or your SSH keys are compromised, as 2FA defends your whole system against any attack. Now follow the below method for how to install and enable 2FA for SSH.
First, we install the PAM module.
sudo apt install libpam-google-authenticator -y
Now, initialize Google Authenticator by following the below instructions. You must configure the 2FA settings for your specific user account using the below command.
google-authenticator
Configure PAM to Require 2FA: For that, we edit the /etc/pam.d/sshd file and add the below line at the bottom of the configuration file.
auth required pam_google_authenticator.so
After that, we update the SSH configuration. For that, we change authentication from no to yes in /etc/ssh/sshd_config and change the following line:
KbdInteractiveAuthentication yes
After all changes in the SSHD configuration file, restart the SSH service using the below command.
sudo systemctl restart sshd
Add Firewall Rules
A firewall is the best network traffic controller for outgoing and incoming traffic as we set rules. For a Debian/Ubuntu environment, we will use UFW.
Configure UFW Specifications:
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow SSH
sudo ufw allow HTTP
sudo ufw allow HTTPS
sudo ufw enable
For the firewall, we set all permissions as above for more security. This gives your Linux server security.
Defence with Fail2Ban against attack
Fail2Ban is best used for monitoring log files and automatically banning IP addresses that show some doubtful signs. Here we follow the below method for installing Fail2Ban and then enabling and starting it.
sudo apt install fail2ban -y sudo systemctl enable fail2ban sudo systemctl start fail2ban
Create a local configuration file /etc/fail2ban/jail.local and configure the SSH jail to ban IPs after 5 failed attempts for a specified duration (e.g., 12 hours).
Conclusion
Securing a Linux server is not a one-time setup but an active and ongoing process. You can make your defense system powerful using 2FA, UFW firewalls, SSH hardening, and Fail2Ban. When you set this up, you drastically shrink your attack surface, which gives you the best security against outside attacks. If you want a more powerful environment, keep your packages updated and monitor your system regularly, as this will give you strong security against hackers.
